On the state of the dns-01 challenge


#1

So this thread mainly talked about client support, I’d like to talk about server support.

Are there any rough estimates on when we will see the dns-01 challenge enabled on the staging and production servers? From a brief look at boulder, it seems already implemented, the test configuration has it enabled too. I couldn’t find any issues or discussions on the state of the implementation though, and I didn’t get to just trying it with a local installation yet since I didn’t have the time and motivation for a manual installation and the docker setup is broken.

Is there any reason to not allow in-official clients to use this challenge, since it would solve many issues mentioned in many topics across this discussion board?


How to use authenticate with a DNS record?
How to generate DNS-01 keyAuthorization
Cert for intranet
#2

We’re probably going to enable the DNS challenge in staging pretty soon after launch, to start testing out clients. I can’t commit to a particular launch date for turning it on in production, but we very much want to make it available soon! Subject, of course, to the usual caveats about development time and limited resources.

File an issue on the Boulder repo for the Docker issues you ran into?


#3

Well, that’s at least some good news I guess. What kind of category are we talking with “pretty soon” though? Within a week, month, two months?

One of the Docker issues would be “solved” by this old PR, but after applying it manually, it just failed somewhere else. And given things like this and a couple equally old issues are still open, I just figured that no active developer is using them anymore and so they probably would break soon enough again anyway. It simply doesn’t boot up when running ./test/run-docker.sh on a clean and latest Docker (running Archlinux here and not using Docker much for anything else).


#4

It’s out right now in staging. Promotion to production sometime in January, we believe.


#5

When testing it with a local boulder I had to monkey patch stuff, see https://github.com/letsencrypt/boulder/issues/1242#issuecomment-164147744 Without it, it wouldn’t pass validation in any case. Did I overlook something fixing that issue?


#6

Nope. If you’d like to provide a PR with tests, we’d take it!


#7

I really have no idea what I’m doing there :wink: Also this: https://github.com/letsencrypt/boulder/blob/master/core/objects.go#L353 looks like you might have some more plans for additional validations, but I have no clue which.


#8

Looks like this works in letsencrypt staging now. Any ETA for production? It’s already at the same release, but it seems to be disabled for now.


#9

It just went to production. https://twitter.com/letsencrypt/status/689919523164721152


#10

I cant find any useful documentation for DNS challenge :pensive: ? any one know any guide , quick start help ?


#11